Rewterz Threat Advisory – IBM Spectrum Protect Operations Center denial of service
February 16, 2021Rewterz Threat Alert – AZORult Malware – IOCs
February 16, 2021Rewterz Threat Advisory – IBM Spectrum Protect Operations Center denial of service
February 16, 2021Rewterz Threat Alert – AZORult Malware – IOCs
February 16, 2021Severity
High
Analysis Summary
An uptick in phishing campaigns is seen, targeting multiple organizations, including financial institutions, by abusing the ngrok platform. Ngrok is a cross-platform application used to expose a local development server to the internet, and it makes the locally hosted server appear to be hosted on a subdomain of ngrok(e.g., 4f421deb219c[.]ngrok[.]io) by creating a long-lived TCP tunnel to the localhost. The ngrok server software is self-hosted on a VPS or a dedicated server. It has the ability to bypass NAT mapping and Firewall restriction.
Multiple threat actors have abused the ngrok platform to gain unauthorized access to the target for delivering the additional payload, exfiltrating financial data such as credit/debit card information, and carrying out targeted phishing attacks. The ngrok-based cyberattacks are harder to detect since they use random subdomains of ngrok.com, besides bypassing security devices like Firewall, thereby making it an active target for cybercriminals.
Some of the new strains of malware / phishing campaign using ngrok tunnelling are:
- Njrat
- DarkComet
- Quasar RAT
- asynrat
- Nanocore RAT
In 2019, this platform was abused to deliver the Lokibot as well.
Here are the steps of abuse:
- The tool creates a tunnel using ngrok to the chosen phishing URL with the specified port.
- The hacker tracks real-time logs in the first session and waits for the victims to enter their phone number.
- The hacker then logs into the affected application’s official site with the harvested credentials and generates an OTP (2FA).
- Victims then enter the received OTP in the phishing site, which the hacker captures.
- Finally, the hacker gains access to the victims’ official account using the OTP(2FA).
Impact
- Security Bypass
- Unauthorized Access
- Exfiltration of Financial Data
Indicators of Compromise
Domain Name
- ngrok[.]io
From Email
- contact@ngrok[.]com
Hostname
- 1b96bd67151a[.]ngrok[.]io
- 2106ef42b27b[.]ngrok[.]io
- 232fa25e1abe[.]ngrok[.]io
- 3b6859c00864[.]ngrok[.]io
- 4a826717681a[.]ngrok[.]io
- 4f421deb219c[.]ngrok[.]io
- 64bdaf63996c[.]ngrok[.]io
- 7f37e07fc0f9[.]ngrok[.]io
- 8c8a73773aef[.]ngrok[.]io
- 8e3d3f5d9ca3[.]ngrok[.]io
- 98de9202cf1d[.]ngrok[.]io
- 9be055fae612[.]ngrok[.]io
- 9d448ee31851[.]ngrok[.]io
- b36a3cf2dc0f[.]ngrok[.]io
- c1df5c5c340e[.]ngrok[.]io
- dcf4820d88b8[.]ngrok[.]io
- ed23321e00e2[.]ngrok[.]io
- f7e82c8b73a6[.]ngrok[.]io
- fc6cbeaa8cbb[.]ngrok[.]io
- fd4a5b0113b7[.]ngrok[.]io
- fe7544eeda51[.]ngrok[.]io
Remediation
- Block the threat indicators at their respective controls.
- Do not enter credentials/ PII (personally identifiable information) on untrusted platforms/ websites.